Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exe
-
Size
31KB
-
MD5
191333d8394582475727690afaa8f41a
-
SHA1
2e24a0c9e42891b839b0eea5a4c8f3556e853227
-
SHA256
897d68acd781294c9c7fdb207d2b4369332988339771a76804cc42f3bbb40f4e
-
SHA512
41c22dbd09aca953f7f3f974a6bd3d6ed6b1478ab4b1e913ecf8d83e2e8077434b49b6e3295aba554a9d8c7710aaa94a8cee6e1ef493863387307df492908111
-
SSDEEP
384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6ckJp0qAMubA:bAvJCYOOvbRPDEgXRc+BA/bA
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\demka.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exedemka.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation demka.exe -
Executes dropped EXE 1 IoCs
Processes:
demka.exepid process 4384 demka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exedescription pid process target process PID 4008 wrote to memory of 4384 4008 2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exe demka.exe PID 4008 wrote to memory of 4384 4008 2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exe demka.exe PID 4008 wrote to memory of 4384 4008 2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exe demka.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_191333d8394582475727690afaa8f41a_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD56f81165fefd3030bc9a0421d853157d0
SHA1d5f3c7e7859d59568cbfd50f313c23809dd64e3a
SHA25689f4baff6209770d54a219e883b802d5319c82d4275d5da1ebdd200efd53b88c
SHA5122459308b099ac74eefb954a133cc1b71771d20bf321381f204d2b6a6a5c778eff10e32b695a586f47a9bfa52172bee049758f42dfbe95d4dd1ea3a6c8668ccd4